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Abstract 

This paper presents the concept of digit polynomials , which leads 

I to a deterministic and unconditional integer factorization algorithm 
with the runtime complexity 0(iV 1 / 4 + e ). Strassen’s well known fac¬ 
toring approach is a special case of our method. We will also consider 
a possibility to improve upon the complexity bound. 

1 Introduction 

We consider the problem of computing the prime factorization of a given 
natural number N. Currently, the best publicly known deterministic and 
unconditional factorization algorithms all have a runtime complexity of the 
form 0{N l ^ +t ) [W , p.240]. A method which achieves this complexity is the 
approach of Strassen [S], based on the idea to compute parts of [N 1 ^ 2 J! to 
find a nontrivial factor of N. A recent improvement of the logarithmic factor 
in the complexity bound can be found in [CH] . For a general overview, the 
reader may consult [P]J. 

In this paper we present a method based on products of certain poly¬ 
nomials. The main idea is to construct polynomials g G Z[X] such that as 
many integers x, 0 < x < N — 1, as possible satisfy 

1 < gcd(g(x), N) < N. 

Several 6-adic representations of N are used in Theorem 12.91 which yields a 
method to construct such a polynomial of degree d with complexity 0(d 1+e ). 
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In the factorization algorithm we will not only make use of the cardinality , 
but also of the position of those x with the property above. 

Our deterministic method is not appropriate for factorizing large num¬ 
bers. In practice, probabilistic algorithms with much lower complexity are 
used for this task (See [R] and |CPj ). 

2 Basic Ideas 

Throughout this paper, P denotes the set of primes. We call a natural num¬ 
ber semiprime if and only if it is the product of two distinct primes. Let 
n G N. We denote the complete residue system {0,..., n — 1} modulo n by Z n 
and the residue class ring Z/nZ by Z n . For / G Z[X], we write the leading 
coefficient of / as lc/. Until further notice, let N G N be fixed. 

Definition 2.1. Let b E Z. We denote the set of polynomials / G Z[X\ 
with the property f(b) = N by The elements of V^,b are called digit 
polynomials of N to base b. 

Definition 2.2. Let b G N, b > 2. Let N = Y2i> be the unique 6-adic 
representation of N with digits n* G {0,..., b — 1}. Define 

P b ■= G Z[X]. 

i> 0 

We call P b the b-adic digit polynomial of N. Clearly, we have P b G TV,b- 

Lemma 2.3. Let b G Z and f G T>N,b- Then, for every x G Z, we have 
N = f{x) mod x — b. 

Proof. We know that b is a zero of the polynomial f — N, hence X — b 
divides / — N in Z[X\ and the congruence holds for every evaluation. □ 

Corollary 2.4. Let b G Z and f G T>N,b- We conclude for every rGZ that 
gcd (N, x — b) = gcd (f(x),x — b), and that x — b \ N iff x — b \ f(x). 

Lemma 2.5. Let u andv be nontrivial and coprime divisors of N. Letb G Z 
and f G T>N,b such that 

1. gcd(lc f,N) = 1 and 

2. d := deg / is smaller than the largest prime factor of v. 

Then there exists x G Z with u \ f(x) and v \ f(x). 




Digit Polynomials 


3 


Proof. Let y G Z be arbitrary. Let x G Z with uy — x — b. From Lemma 
12.31 we derive u \ f(x), hence u \ f{uy + b ) for any y G Z. We have to show 
that there exists y G Z with u { f{uy + 6 ). 

Assume to the contrary that f(uy + 6) = 0 mod v for all y G Z. Write 
f(uy + b) as /(&) + u ■ g(g) for g G Z[X]. It is easy to verify that degg = d 
and leg = u d ~ l lc/. Let p be the largest prime factor of u. Then, for every 
p G Z, it follows that 

f(uy + b) = u ■ g{y) + /(&) = u ■ g(y) = 0 mod p. 

The fact p \ u implies g(y) = 0 mod p for every y G Z. But, since 
gcd(lc /, N) — 1, we get p \ lc(g). Therefore, g is of degree d in Z P [X\ and, 
for this reason, has at most d zeros in Z p [X\. From d < p the contradiction 
follows. □ 

In the proof of the preceding lemma we have seen that, if N is a composite 
number and if / G T>N,b is chosen with appropriate degree, we get various 
integers x G Z N such that 1 < gcd(/(a;), N) < N. 

Definition 2.6. Let g G Z[X\. An element x G is called suitable for g, 
if and only if 1 < gcd(g(a:), N) < N. We also define 

"(g) ■= #{^ g Zn : x is suitable for g.}. 

If we multiply two polynomials /, g G Z[X\, it may happen that x G Z]y is 
suitable for / and for g, but not for / • g. 

Definition 2.7. Let d G N and fi G Z[X\, 1 < i < d. An element x G Z^ 
vanishes in g := Y\l=\ ./u if an d on ly if gcd(g(x), N) = N and there is at 
least one i such that x is suitable for fi. 

Theorem 2.8. Let N gN be a semiprime number with the prime factors p 
and q and assume p < q. Let f G Z[X\ and d := deg /. Let n be the number 
of distinct zeros of f modulo p and m be the number of distinct zeros of f 
modulo q. Then: 

1. v{f) = mp + nq — 2 nm. 

2. Let f 7 ^ 0 inZ p [X] and in Z q [X\. If d < p/2, thenu(f) < dp+dq—2d 2 . 
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Proof. For [T[ Let x G Zjy be suitable for /. Then x is a zero of / either 
modulo p or modulo q. Let an, a n be the distinct zeros of / modulo p and 
Pi, ..., Prn be the distinct zeros of / modulo q. For i — 1 ,n and j = 1 ,m 
we consider 


PU + oti, for y = 0, 1, 

qy + Pj, for y = 0,...,p- 1 . 

Every x which is suitable for / is of that form, and these are a priori mp+nq 
values in Zjv- But some of them might be equal. First, we show that the 
values of the form py + a; are distinct modulo N. We assume that there are 
2 /i, 2/2 £ Z q with pyi + a* = py 2 + an mod iV for some i,k G {1,..., n}. For 
i k this is not possible, because we get cq = oq mod p, which contradicts 
the assumption that the zeros are distinct modulo p. For i = k, it follows 
that 2 /i = 2/2 mod q. Hence, the congruence only holds if we compare the 
value pyi + ai with itself. For this reason, all these values are distinct. By 
similar arguments, one can show that this also holds for the values of the 
form qy + Pj. 

Next, we consider the case that some value of the form py + a?* is con¬ 
gruent to some value of the form qy + pj. Then this value is a zero of 
/ modulo N. By the Chinese Remainder Theorem, one can easily verify 
that / must have exactly nm distinct zeros modulo N. Since any zero z 
of / modulo N is also a zero of / modulo p and modulo q, we can write 
£ = pyi+cti = qy 2 +Pj for some 2 / 1 , 2/2 and i , j. Hence, at every zero of / mod¬ 
ulo N exactly two equal values of our list above coincide. The other values 
all satisfy 1 < gcd(/(x), N) < N. Therefore, we get u(f) = mp + nq —2nm. 

For [21 Consider h = —2XY + Xq + Yp G Z[X,Y]. Since / has at most d 
distinct zeros modulo p and modulo q, we want to maximize this function 
for (x,y) G [0 ,d] 2 . We get 

hx(x, y) = —2y + q and hy(x, y) = — 2x + p 

as partial derivatives. Hence, the only critical point is (x,y) = (p/2,q/2). 
But this point is not in [0,d] 2 , so we consider h on the boundary and get 
gi(x) = xq, 2 / 2 ( 44 ) = xp, (73 (x) = x(q — 2d) + dp and 7/4(2:) = x(p — 2d) + dq , 
for x G [0, c]. Since q > 2d and p > 2d, the maximum is 

273 (d) = 274 (d) = dp + dq — 2d 2 . 


□ 
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For any polynomial / G Z[X\ with appropriate degree d, there are at 
most dp + dq — 2d 2 integers which are suitable for /. We are interested in 
efficient methods to construct polynomials which are best possible in this 
sense. The following theorem yields a method with runtime complexity of 
the form 0(d 1+e ). We will use this idea in the factorization algorithm in 
Section 3. Therefore, details will be explained in the proof of Theorem 13.41 

Theorem 2.9. Let N G N be semiprime with the prime factors p and q. 
Let d G N and bi G Z, 1 < i < d. Let fa G XVa such that deg fa = 1 
and write fa = f X + c t for every i. //gcd(c;, N) = 1 for every i and also 
gcd (bj — bk, N) = 1 for every choice of j, k G {1,..., d}, j k, then 

d 

II = dp + dq- 2d 2 . 

Z— 1 


Proof. For 1 < i < d, consider /j. Since gcd(c, : , N) = 1, fa ^ 0 as polynomial 
in Z p [X\ and in Z q [X\. Therefore, 6 * is the only zero of /j modulo p and 
modulo q. 

Now consider g := n^=i /»■ Obviously, every &j, 1 < i < d, is a zero of 
g modulo p as well as modulo q. Since gcd( 6 j — b k , N) = 1 for every choice 
of j, k G {l,...,d}, j k, these zeros are distinct. For this reason, g has 
d distinct zeros modulo p and d distinct zeros modulo q. Now we apply 
Theorem 12.81 □ 

Remark 2.10. For every polynomial /j in the theorem above, there are 
p + q — 2 integers which are suitable for /j. But, if we multiply all these 
polynomials, we do not get d(p + q — 2 ) suitable integers for the product g. 
It is easy to see that there are 4 • (fa integers vanishing in g. We get 

d 

v ^ fa j = dp + dq — 2d 2 = d(p + q — 2) — 4 • 

i=1 

We will now prove a result to ensure the maximum possible number of 
suitable integers for the product of digit polynomials of degree 2 , which may 
be compared to the result in Theorem 12.91 We will see that the 6 -adic digit 
polynomials are especially useful in this case, not only because it is easy 
to compute them, but also because of their uniqueness and the special way 
they are constructed. 
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Theorem 2.11. Let iVeNfc semiprime with prime factors p and q. Let 
d G N and bi G Z, 1 < i < d. Let fi G swcd tdaf deg /* = 2 and wrte 
fi = n 2 ,iX 2 + + no,i for every i. 

If gcd{n 2 ,i -bi,N) = 1 for every i and if for b d+i := n 0)i • n ^ 1 • bf 1 mod N, 
1 < i < d, we have gcd( 6 j — bk, N) = 1 for every choice of j, k G {1,2d}, 
j 7 ^ k, then 

d 

v ^ fi j = 2 dp + 2 dq — 8 d 2 . 

Z=1 


Proof. For 1 < i < d, consider /j. Since gcd(n 2 ; j, N) = 1, fi is a polynomial 
of degree 2 modulo p. Therefore /* has at most two zeros modulo p. One of 
them is 6 *. But since is a field, there has to be another zero modulo p. 
We know from Vieta’s Theorem that this zero has to be the solution of 

n 2 ,ibi ■ x = n 0ji mod p. 

Since b d+i = n 0ti ■ nfj ■ b~ l mod p, b d+i is this zero of fi modulo p. With 
similar arguments, one can also show that bi and b d+i are the zeros of fi 
modulo q. 

Now consider g := fi. Obviously, every bi, 1 < i < 2d is a zero of 
g modulo p as well as modulo q. Since gcd( 6 j — bk, N) = 1 for every choice 
of j, k G {1,..., 2d}, j ^ k, these zeros are distinct. For this reason, g has 
2d distinct zeros modulo p and 2d distinct zeros modulo q. Now we apply 
Theorem 12.81 □ 

If we set d = 1 in the theorem above, the following statement is an 
immediate consequence. 

Corollary 2.12. Let N G N be semiprime with prime factors p and q. 
Let i) G Z and f G T> Nb with deg / = 2 and f = n 2 X 2 + ri\X + n 0 . If 
gcd(n 2 ■ b,N) = 1 and gcd(iV, n 2 b 2 — n 0 ) = 1, then v(f) = 2p + 2q — 8. 

We want to make Theorem 12. 1 II applicable. Hence, we have to find digit 
polynomials for which the condition of distinct zeros modulo the factors of 
N can be verified in 0(d) steps. For the linear polynomials in Theorem 12.91 
this is feasible, since we are able to choose appropriate bases, for example 
consecutive integers. Here, every base ly we choose comes with a second 
integer b d+ i, which we have to control. The subsequent lemma allows to 
work with digit polynomials of degree 2 in practice. 
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Lemma 2.13. Let N G N, d G N and let b { G {{N 1 / 2 /y/2],..., L^ 1 / 2 J}, 
1 < i < d, be coprime to N such that b i+ 1 — b t + l. Set D := bi + [N/b d J. 

If gcd(D + z, N) = 1 for every z G {0, 2d — 2} and if the b-adic digit 
polynomials P di satisfy n i,* < n 0 ,* + 1 for every i, then they also satisfy the 
conditions in Theorem \2.11\ 

Proof. Let i G {l,...,d} be arbitrary. It is easy to see that n 2 ,* = 1 for 
this choice of bases. Since gcd(5*, N ) = 1, the first condition of Theorem 
12.111 is satisfied. Now set b d+i no^bf 1 mod N. Consider the division 
with remainder of N with respect to bi and write m* 6 * + no,* = N. We 
get —m*&* = no,* = b d+i bi mod N, hence —m* = b d +i mod N. Next, we 
consider N = (m* — 1)(6* + 1) + r = m* 6 * + ?n* — 6 * — 1 + r for some r e Z. 
Assume that r > 6 * + 1. Then it follows that N > mfoi + m*. But since 
h < , it is easy to see that m* > bi. By no,* < bi we conclude 

A > ?n* 6 * + m* > m* 6 * + 6 * > m* 6 * + n 0 ,* = N , 

hence a contradiction. Now we assume that r < 0. Then it follows that 
N < m^i + m* — fe* — 1. But this yields that n 0 ,* + fe* + 1 < mi, and by 
N > 6*(n 0 ,* + 6* + l)+n 0 ,* = b 2 + (n 0 ,* +1)&* + n 0 ,* we conclude ni,* > n 0 ,* + l, 
which contradicts our assumption. As a consequence, we get 0 < r < 6* +1. 
Because of the uniqueness of the division with remainder, there has to be 
r = n 0 ,*+i and m* +1 = m* — 1. Altogether we derive 

b d+i+ 1 = -m* + i = —m* + 1 = b d+i + 1 mod N. 

Now assume that there exist j,k G {l,...,d} such that b d +k = bj mod p. 
We write bj = b\ + m for some m G {0,..., d — 1} and, as we just have shown, 
we can write 

b d +k = b' 2 d - I = ~m d - l = - [N/b d \ - l mod p, 

for some l G {0, ...,d — 1}. It follows that —\_N/b d J — l = b\ + m mod p. 
Therefore, we get 

0 = bi + [N/b d \ + m + l = D + z mod p, 

for some z G {0,..., 2d — 2}. But this contradicts our assumption. Hence, 
for every choice of j, k G {1,..., d}, the integers b d +j are different from the 
integers bk modulo p. It is also impossible that there exist j,k G {1,..., d}, 
j k with b d+ k = b d+ j mod p or with bk = bj mod p, because this would 
imply p < d, which as well contradicts the assumption gcd(D + z, N) = 1 
for z G {0, ...,2 d — 2}. By similar arguments, one can show that the zeros 
are all distinct modulo q. □ 
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3 The Algorithm and its Parameters 

Let N G N be a composite number. Without knowledge of the factorization 
of N, we are able to construct a polynomial g G Z[X] such that 

1 < gcd(g(T), N) < N, 

for as many x G as possible. The main idea for the algorithm is to find 
a subset of Zn containing at least one element which is either suitable for 
or vanishing in g. Let d G N. We work with the following parameters. 

1. A set B := {b n G Z N : 1 < n < d} of bases for the digit polynomials. 

2. For every b E B, we choose exactly one f b G V Nb . We denote the set 
of all these polynomials by T>[B). 

3 . A set S := {s n G Z'n : 1 < n < d}, containing at least one element 
suitable for or vanishing in g : = IW»- 

These three sets determine the following algorithm, and its correctness 
and runtime depends on finding a good choice for them. 

Algorithm 3.1. Let N G N and the sets B = {b n G Zn : 1 < n < d}, 
T>(B) = {fb G T> Nb : b G B} and S = {.s n G Z N : 1 < n < d} be given, 
where d G N. Set a± = 1, 02 = 1 and take the following steps to factor N: 

1. For every b G B, compute fb G V(J3). Next, compute the polynomial 
9 ■= El& e ,8 fb m od N. 

2. For every n G {1,..., d}, compute y n := g(s n ) mod N. 

3. Set j := a\. 

4 . If j > d, print ’ Error A’. Otherwise compute Gj := gcd (yj,N). If 
Gj = 1, set a 1 = j + 1 and go to Step 3 . If 1 < Gj < N, print Gj. We 
have found a nontrivial factor of N and the algorithm terminates. If 
Gj = N, go to Step 5. 

5. Set i a 2 . 

6 . If i > d, print ’Error B’. Otherwise compute H , := gcd (f bi (sj), N). If 
Hi = 1 or Hi = N, set a 2 = i + 1 and go to Step 5. If 1 < Hi < N, 
print Hi. We have found a nontrivial factor of N and the algorithm 
terminates. 
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We now clarify which conditions are necessary to make the algorithm 
work. Finding a solution to the following problem is crucial. 

Problem 3.2. Let N G N be of unknown factorization. Ford G N, construct 
two disjoint sets {b n : 1 < n < d} and {s n : 1 < n < d} in Z N with the 
property that, if N is composite, there must exist i,j G {1,..., d} and a prime 
factor p of N such that bi = Sj mod p. 

Example 3.3. Let d := [iV 1 / 4 ]. Then it is easy to prove that the choice of 
the sets {— n mod N : 1 < n < d} and {{n — 1 )d mod N : 1 < n < d} is 
a solution to the problem. 

A solution to Problem 13.21 could be used in an obvious way to factor 
natural numbers in 0(d 2 ). The subsequent theorem shows how we can apply 
a solution to factorize much faster, using Algorithm 13.11 

Theorem 3.4. Let N be a natural number and let {b n : 1 < n < d} and 
{s n : 1 < n < d} be a solution to Problem \3.A Then Alaorithm \3.1\ runs in 
0 (d 1+e ) with the parametrization 

B := {b n : 1 < n < d}, 

V(B) := {X - b : b G B}, 

S := {s n : 1 < n < d}. 

The algorithm will find a nontrivial factor of N if it is composite, and will 
print ’Error A’ if N is prime. 

Proof. Let N be composite. Since B and S are disjoint subsets of Z at, we 
have 

s ^ b mod N 

and therefore fb{s) ^ 0 mod N for every choice of s G S and b G B. This 
implies that if there is s G S such that gcd(g(s), N) = N, s vanishes in g 
and Algorithm 13.11 will find a nontrivial factor in Step 6. 

It remains to show there is n G {1, with 1 < G n < N in Step 4. 
Since the sets B and S are a solution to Problem 13.21 there is a prime factor 
p of N and at least one pair (&', s') G B x S such that b' = s' mod p. We 
get fbfs') = s' — b' = 0 mod p, hence 1 < gcd(p(s'), N) < N. 

Let N be prime. Since B and S are disjoint subsets of Z N , N can not be 
a divisor of products of differences of their elements. There must be G n = 1 
for every n G {1,..., d} in Step 4, and the algorithm prints ’Error A’. 
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Let us discuss the runtime complexity of the algorithm. Note that the 
multiplication time M(d) for multiplying two integers of length d can be 
bounded by 0 (d\ogd ■ log(logd)). 

Step 1: We have to multiply d polynomials of degree 1. There are well 
known methods to do this by 0(M(d) logd) arithmetic operations. 

Step 2: Here we have to evaluate the polynomial g of degree d in d 
points. This can be done by 0(M(d) logd) arithmetic operations, using the 
well known methods for multipoint evaluation of polynomials. 

Step 4 and Step 6: We have to compute at most d greatest common 
divisors in each of these steps. For this task, we employ the Euclidean Al¬ 
gorithm. 

To summarize, the algorithm runs in 0(M(d) logd). That proves our 

claim. □ 

Remark 3.5. We could choose any f b G T) Nb satisfying f b (s) ^ 0 mod N 
for every s G S and b G B. But for computational convenience, we should 
use fb = X + N — b = X — b mod N as digit polynomial to base b. The 
possibility to work with a larger variety of digit polynomials seems to be 
more of theoretical interest and has been discussed in Section 2. For detailed 
information concerning the tools used in Step 1 and Step 2, we refer the 
reader to |GG1 Ch.10], in particular, to the algorithms in 10.3 and 10.5. 

Remark 3.6. (Strassen’s method as special case) 

Let d : = [IV 1 / 4 ]. We recall Strassen’s factoring algorithm. The polynomial 

g = {X + 1)(X + 2) • • • (X + d) 

is evaluated in 0, d, 2d ,..., (d — l)d in order to compute all parts of |_A^ 1//2 J! to 
find a factor of N. But we may also consider the method as an application 
of the solution presented in Example 13.31 and, therefore, as Algorithm 13.11 
running with the parametrization 

B := {—n mod N : 1 < n < d}, 

V(B) {X + n : 1 < n < d}, 

S := {(n — 1 )d mod N \ 1 <n < d}. 

This and other more or less similar solutions to Problem l3.2l vield the current 
deterministic complexity bound 0 {N 1 ^ +t ) for unconditional integer factor¬ 
ization. More generally, if we know that there is a prime factor smaller than 
[j\r 1/m J, which for instance has to be the case if N has at least m nontrivial 
factors, then it is easy to see that we have a solution for d := [IV 2 ^: J. Hence, 
we are able to run Algorithm 13.11 in 0(N^ +e ) in these cases. 
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4 A Computational Approach 

If we want to improve the current bound for deterministic integer factor¬ 
ization, one way could be to find a better solution for Problem 13.21 working 
for a lower d, on which the runtime of the algorithm mainly depends. 

Theorem 4.1. Let N G N be composite and p a prime factor of N with 
p < b for some b < N/ 5. If we know a pair m,r of natural numbers with 
2 < m < p such that r = p mod m, we can find a nontrivial factor of N in 
0 (d 1+e ), where d = [(6/m) 1 / 2 ]. 

Proof. We have p < b < md 2 , therefore we can write p = mx + r for 
some x G {0,1, 2,..., d 2 — 1}. Furthermore, we write x = i — j for some 
i G {d, 2 d, ..., d 2 } and some j G {1, 2,..., d}. We deduce p = m(i — j ) + r, 
which implies mi + r = mj mod p. For n G N, 1 < n < d, we define 

b n := mdn + r, 
s n := mn. 

We derive 1 < m < s n < md < md + r < b n < md 2 + r < N for every 
n G {1,..., d}, since 

md 2 + r = m(|"( 6 /m ) 1 ^ 2 ]) 2 + r < m^b/m ) 1 ^ 2 + l ) 2 + m 

= b + 2(5m) 1 / 2 + 2m < 5b < N. 

As a consequence, {b n : 1 < n < d} and {s n : 1 < n < d} are disjoint 
subsets of Z N and we have bi/ d = Sj mod p. It follows that the sets are a 
solution to Problem 13.21 and we apply Theorem 13.41 □ 

Remark 4.2. Let N E N, N > 30 he composite and |"A r1 / 6 ] < p < b a 
prime factor of N, where b = [IV 1 / 2 ] < jV/5. 

1. If we know m,r G N with m > [IV 1 / 10 ] and r 
find a nontrivial factor of N in 0(N 1 ^ 5+e ). 

2. If we know m, r G N with m > [A^ 1 / 6 ] and r = p 
a nontrivial factor of N in 0{N 1 ^ +e ). 

If N is a composite number with more than three nontrivial divisors, 
we already have algorithms with runtime 0{N l ^ +e ) to factorize N (See 
Remark 13.611 . Therefore, we only consider the semiprime case in the fol¬ 
lowing problem, which is currently unsolved. Solving it would improve the 
deterministic complexity bound for integer factorization to 0(N l ^ +e ). 


= p mod m, we can 


mod m, we can find 
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Problem 4.3. Let N G N fee semiprime with prime factors p and q and 
assume p < q. Find an algorithm with runtime 0(N 1 ^ 6+e ) to compute a 
pair (m, r) G N 2 such that [IV 1 / 6 ] < m < p and r = p mod m. 

Now we use the idea of Theorem 14.11 to construct another solution to 
Problem 13.21 

Corollary 4.4. Let N G N be composite and p a prime factor of N with 
p < b for some b < N/ 5. If r, m G N such that 2 < m < p, gcd(fV, m) = 1 
and r = p mod m, then the sets 

{m~ l r — n mod N : 1 < n < d} 

{—dn mod N : 1 < n < d} 

are a solution to Problem \3.2[ where d = [(6/m) 1 / 2 ]. 

Proof. In the proof of Theorem 14.11 we have already shown that there are 
i,j G {1,2 ,...,d} such that mdi + r = mj mod p. Clearly, this implies 
—di = m~ 1 r — j mod p. It remains to show that the two sets are disjoint 
in Z N . Assume to the opposite that there are x, y G {1,2, such that 
— dx = m~ 1 r — y mod N. We deduce rrulx + r = my mod N. But in the 
proof of Theorem 14.11 we have also seen that {mdn + r : 1 < n < d} and 
{mn : 1 < n < d} are disjoint in Z jv, hence we derive a contradiction. □ 

Remark 4.5. The only a priori unknown value in the sets considered in the 
preceding lemma is m _1 r mod N. Knowing it would immediately enable us 
to apply Algorithm 13. II with d = [(6/m) 1 / 2 ]. Also note that p = m[p/mj +r 
and therefore m~V = — \jp/m\ mod p. 

5 Characterizations for Primes 

Finally, we present some characterizations of primality by digit polynomials. 
The major work for the following proofs is already done. Let V G N be a 
fixed odd number. Note that it is easy to detect powers of prime numbers, 
which allows us to assume that N is either prime or composite with at least 
two different prime factors. 

Theorem 5.1. Let 6 G Z and f G T>N,b with d := deg/. Let d be smaller 
than q := ma x{q' G P : q' \ A^} and gcd(lc f,N) = 1. Then the following 
holds: 


N G P Vx G Z N : f N ~\x ) mod N G {0,1}. 











Digit Polynomials 


13 


Proof. Assume that A is prime. Then the statement immediately follows 
from Fermat’s little Theorem. 

Assume that A is a composite number. Let p be a prime factor of A 
such that p 7 ^ q. According to Lemma [2.51 there exists with p \ /(x) 

and q \ /(x). Write pj = /(x) for some j G Z. Then we get 

f N ~\x) = # 1 mod A, 

because otherwise there would exist fcgZ with {pj) N ~ l — 1 = pk , hence p | 1. 
Since f N ~ x (x) ^ 0 mod q, we also derive f N ~ 1 (x) ^ 0 mod A”. Therefore, 
we have found x G Z with f N_1 (x) ^ 1 mod A and f N_1 (x) ^ 0 mod A, 
which yields a contradiction. □ 

Corollary 5.2. Let b G Z and f G T>N,b with d := deg/. Let d be smaller 
than q := max{g' G P : q' \ A} and gcd(lc/, A) = 1. Then the following 
holds: 

A G P <ty Vx G i/v : (x) mod A G {—1, 0,1}. 


Proof. Assume that A is prime. Then the statement immediately follows 
from Euler’s Criterion. 

Assume that A is a composite number. According to Theorem IS.ll there is 
x G Zn such that / jV_1 (x) mod A is neither 0 nor 1. Then f~^~(x) mod A 
is different from —1,0 and 1. Hence, this implies a contradiction. □ 

Example 5.3. Let b = A and let / = X G T>N,b- Then all the conditions 
of Theorem 15.11 and Corollary 15.21 are satisfied. We derive the well known 
results 


A G P Vx G Z N : x N 1 mod A G {0,1} 

N—l 

yy Vx G Z N : x~ mod A G {—1, 0,1}. 
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